CMS Discloses Breach Affecting 75K People, Offering Few Details

Some form of data breach has hit the U.S. Centers for Medicare & Medicaid Services, exposing the information of roughly 75,000 people and prompting an investigation, according to the agency.

The breach affected the Federally Facilitated Exchanges’ (FFE) Direct Enrollment pathway, which enables agents and brokers to help “consumers with applications for coverage in the FFE,” according to a CMS release that was sent to journalists at 5:22 p.m. Friday.

Reached by phone, a CMS official who only gave his first name, Jeremy, declined to provide details on which patient populations are affected and what kind of personal information was compromised. He directed all questions to CMS’s press email box, and we will update when more information becomes available.

“I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted,” CMS Administrator Seema Verma, MPH, said in a statement. “We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

CMS staff “detected anomalous activity” on Oct. 13 and declared it a breach on Oct. 16. Officials “took immediate steps to secure the system and consumer information,” according to the press release. The agency began investigating the incident and notified federal law enforcement agents.

CMS deactivated the agent and broker accounts connected to the irregular activity and disabled the Direct Enrollment pathway.

“We are working to address the issue, implement additional security measures and restore the Direct Enrollment pathway for agents and brokers within the next 7 days,” CMS said in its announcement.

In the release and through its spokesperson, CMS said the investigation into the data breach is in the early stages. The agency plans to provide more details going forward.

It’s unclear whose information was compromised or by whom. The scope of breached data — whether it be names, addresses, medical histories or anything else — also remains in question.

The CMS breach, however, has not yet appeared on the Office for Civil Rights data breach page. If it does end up in that database, the CMS breach would be the largest reported so far in October.

“Our number one priority is the safety and security of the Americans we serve,” Verma said in the release. “We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information.”

Inside Digital Health™ delivers the information that healthcare decision makers and physicians need to confidently navigate the digital transformation. We bring you compelling stories about the institutions and individuals who are fomenting positive change — so you can join them in leveraging the tools of healthcare technology and leading the noble quest toward improving patient care and eliminating healthcare waste.